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A natural measure for the amount of quantum information that a physical system E holds about 
another system A = Ai , . ■ ■ , A n is given by the min-entropy H m i n (A | E) . Specifically the min-entropy 
measures the amount of entanglement between E and A, and is the relevant measure when analyz- 
ing a wide variety of problems ranging from randomness extraction in quantum cryptography de- 
coupling used in channel coding, to physical processes such as thermalization or the thermodynamic 
^{■^ work cost (or gain) of erasing a quantum system. As such, it is a central question to determine the 

behaviour of the min-entropy after some process M is applied to the system A. Here we introduce a 
new generic tool relating the resulting min-entropy to the original one, and apply it to several settings 
of interest. 

• A simple example of such a process is the one of sampling, where a subset S of the systems Ai , . . . , A n is selected at random. 
The question is then to quantify the entanglement that E has with the selected systems As, i.e., Rmin(As\ES) as a function 
of the original H. min (A\E). This has two applications by itself. First, it directly provides the first local quantum-to-classical 
randomness extractors for use in quantum cryptography, as well as decoupling operations acting on only a small fraction 
As of the input A. Moreover, it gives lower bounds on the dimension of fc-out-of-n fully quantum random access encodings. 

• Another natural example of such a process is a measurement in e.g., BB84 bases commonly used in quantum cryptography. 
We establish the first entropic uncertainty relations with quantum side information that are nontrivial whenever E is not 

O | maximally entangled with A. 

+Jj • As a consequence, we are able to prove optimality of quantum cryptographic schemes in the noisy-storage model (NSM). 

This model allows for the secure implementation of two-party cryptographic primitives under the assumption that the 
adversary cannot store quantum information perfectly. A special case is the bounded-quantum-storage model (BQSM) 
which assumes that the adversary's quantum memory device is noise-free but limited in size. Ever since the inception of 
the BQSM [19], it has been a vexing open question to determine whether security is possible as long as the adversary can 
only store strictly less than the number of qubits n transmitted during the protocol. Here, we show that security is even 
possible as long as the adversary's device is not larger than n — 0(log 2 n) qubits, which finally settles the fundamental 
limits of the BQSM. 

m 

I. INTRODUCTION 

in 
o 

A central task in quantum theory is to effectively quantify the amount of information that some system E holds 
i-H about some classical or quantum data A. For classical data, i.e., A is a string X n — X\ , . . . , X n , the min-entropy 
H m in {X n | E) forms a particularly relevant measure because it determines the length of a secure key that can be ob- 
tained from X n . This is the setting typically considered in quantum key distribution where E is some information 
that an adversary Eve has gathered during the course of the protocol, and X n is the so-called raw key. More pre- 
cisely, the maximum number I of (almost) random bits 1 that can be obtained from X n that are both uniform and 
uncorrected from E obeys t « H mm (AT™|iJ), if E is classical [34] and quantum [50]. The process by which such 
randomness is obtained is known as randomness extraction (see [58] for a survey) or privacy amplification. Classi- 
cally, a (strong) randomness extractor is simply a set of functions J- — {/ : {0, 1}™ — > {0, l} 1 } such that for almost 
all functions / e f , its output f(X n ) is close to uniform and uncorrelated from the adversary, even if he learns 
which function was applied. That is, the output is of the form Pf(x)ef ~ id/2™ ® pef- A well known example 
of such a set J 7 is a set of two-universal hash functions which are used in quantum cryptography to turn a raw 
key X n into a secure key f(X n ). The min-entropy also has a very intuitive interpretation as it can be expressed as 
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1 We restrict ourselves to bits in the introduction, however, all our results also apply to higher dimensional alphabets. 
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H m inpf"|-E) = - logP guoss (X™|i?) where P gucss (X n \E) is the probability that the adversary manages to guess X n 
maximized over all measurements on E [36]. 

What can we say in the case of quantum data A? It turns out that the fully quantum min-entropy H min (A\E) 
provides us with a similarly useful way to quantify the amount of information that E holds about A. Its first sig- 
nificance is to quantum cryptography where E is again held by an adversary. More specifically it has been shown 
that a quantum-to-classical extractor (QC-extractor) can produce exactly I w R min (A\E) +\og\A\ classical bits which 
are uniform and uncorrected from E [11]. Instead of applying functions to a classical string, a QC-extractor con- 
sists of a set of projective measurements on A giving a classical string as a measurement outcome. Such extractors 
form a useful tool in two-party quantum cryptography where one might have an estimate of H m ; n (A|i?), but not of 
the min-entropy of any classical string X n produced from A. Thus R m i n (A\E) is directly related to the amount of 
cryptographic randomness that can be produced from A. 

More generally the min-entropy is of significance in quantum information theory where it quantifies the number 
of qubits of A that can be decoupled from E [25, 30]. A decoupling operation is given by a quantum operation JCa^b 
on the system A that (approximately) transforms a state pae to tb® Pe, where tb depends only on JC but not on pa- 
When t b = id/|B| is the maximally mixed state, the operation JCa^b again generates randomness with respect to 
E and can hence be understood as a fully quantum-to-quantum extractor (QQ-extractor). When decoupling is used 
in quantum information theory, E is typically the environment of a channel Ma-^b acting on half of a maximally 
entangled state &aa> and the number of qubits that can be decoupled relates directly to the number of qubits that 
can be transmitted correctly through the channel Na^b ( see [24] for an in-depth exposition). Recently, the min- 
entropy has also gained prominence in related areas such as the study of thermalization [23, 33] and well as the 
thermodynamics work cost (or gain!) of erasing a quantum system [22]. 

It turns out that the fully quantum min-entropy also enjoys a very appealing operational interpretation [36]. More 
precisely, 

H min (A|£) = - log \A\ max F(^ A ,id A A e ^ a (pae)) 2 , (1) 

where F is the fidelity (see below) and <r>^ is the normalized maximally entangled state across A and A. That is, 
Kmin{A\E) measures how close pae can be brought to the maximally entangled state by performing a quantum op- 
eration on E. Intuitively, this quantifies how close the adversary E can bring himself to being quantumly maximally 
correlated with A — exactly analogous to maximizing his classical correlations by trying to guess X n . 

A. Results 

Given the significance of the min-entropy in quantum information, it is a natural question to ask how the min- 
entropy changes if we apply a quantum operation M to A. More precisely, one might ask how H m i n (A4 (A) \E) relates 
to H min (A|£'), for some completely positive trace preserving map M. At present, we know that the min-entropy 
satisfies H m i n (M(A)\E) > H min (yl|i?) if M is unital [54]. Can we make more refined statements? 

Of particular interest to us is the case where the quantum system consist of n qudits A n = A\, . . . , A n . Our main 
result is to establish the following very general theorem for maps Ai with the property that we can diagonalize 
((M* o M) id j 4„)(<i> A „ j 4„) = X^e{o d 2 -i} ^s^s where A n = Ai, . . . , A n , d = \AA is the dimension of one of the 
individual qudits, &A"A" 1S again the maximally entangled state, and {^sjs is a basis for the space A n ®A n consisting 
of maximally entangled vectors (see Sections II and Section III for precise definitions and statement of the theorem). 
In terms of the smooth min-entropy H^ in , which, loosely speaking, is equal to the min-entropy except with error 
probability e, our first contribution can be stated as 

• Main result (Informal) For any partition of {0, ...,d 2 — 1}™ = 6 + U 6_ into subsets 6 + ,6_ we have 
2 -^{M{a-)\e) < Y /see+ A S 2- H -»( A "I £ ) + (max ses _ A 8 )d". 

At first glance, our condition on the maps M may seem rather unintuitive and indeed restrictive. Yet, it turns out 
that many interesting maps do indeed satisfy these conditions, allowing us to establish the following results. 

Entanglement sampling In the study of classical extractors, a goal was to construct families of functions / that are 
locally computable [59]. That is, if our goal were to extract only a very small number of key bits from a long string X n 
of length n, one might wonder whether this can be done efficiently in the sense that the functions / depend only on 
a small number of bits of X n . Classically, a very beautiful method to answer this question is to show that the min- 
entropy can in fact be sampled [47, 59]. That is, if we choose a subset S of the bits at random, then the min-entropy of 
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the bits Xs in that subset S obeys 

K min (X s \ES) > \S\R(R min (X n \E)/n) , (2) 

for some function R. The function R can be understood as a rate function that determines the relation of the original 

min-entropy rate H "" n ^ ^ to the min-entropy rate on a subset S of the bits. In other words, min-entropy sampling 
says that if X" is hard to guess, then even given the choice of subset S it is tricky for the adversary to guess Xs- 
To see why this yields the desired functions / note that one way to construct a randomness extractor would be to 
first pick a random subset S, and then apply an arbitrary extractor to the much shorter bit string Xs. In the classical 
literature, this is known as the sample-then-extract approach [59]. 

Inspired by the classical results of Vadhan [59], it is a natural question whether there exists QC-extractors which 
are efficient in the sense that the measurements M e M only act on a small number of qubits of A n = A\ , . . . , A n . Or, 
even more generally, whether there exist decoupling operations which depend on only very few qubits. As before, 
one way to answer this question in generality is to show that even the fully quantum min-entropy can be sampled - 
that is, that entanglement can be sampled. 

• Entanglement sampling (Informal) Entanglement sampling is possible for any quantum state pa^e, i-e., 
U E min (A s \ES) > \S\R(U m[n (A n \E)/n) for the rate function R plotted in Figure 1. See Theorem 2 for a pre- 
cise statement. 

It should be noted that even the case of standard min-entropy sampling of a classical string X n , but quantum side 
information E has proved challenging. The results of [6] imply that sampling of classical strings is possible when the 
distribution over the strings X n is uniform (i.e., px^E = (1/2™) J2 x &{o i}« \ x )( x \ ® P%)> anc ^ me s i ze °f & is bounded, 
and [38] has shown that sampling of blocks (but not individual bits) is possible. This was later refined in [63] to 
show that bitwise sampling is also possible (see Figure 1 for a comparison of the rate function). Very roughly, the 
techniques used in [63] relate the adversary's ability to guess the string X n to his ability to guess the XOR of bits in 
the string. Clearly, in the case of fully quantum A n such techniques cannot be used as it is indeed unclear what the 
XOR of qubits even means. 

As this is the first result on entanglement sampling, it required entirely novel techniques. More precisely, it in- 
spired the even more general theorem sketched above, from which entanglement sampling follows by choosing an 
appropriate map M. As a byproduct, using the same techniques, we also obtain a stronger statement of sampling a 
classical string X n with respect to a quantum system E in the sense that the rate R is improved (see Figure 1 for a 
comparison). What's more, we are able to show an even more precise statement in terms of the entropy R 2 (A n \E) p 
- without any e error terms. Classically, this quantity is known as the (conditional) collision entropy. In general, it is 
very closely related to the min-entropy, and in fact enjoys a very similar operational interpretation. More specifically, 
it can be expressed in the same form as (1) where the optimization over all quantum operations h. E ^^ n is replaced 
by the so-called pretty good recovery map A^_^ An which is close to optimal [4]. 

Application to quantum random access codes Another application of our entanglement sampling result is to the 
fully quantum random access codes. Previous works have considered encodings of n classical bits X n = X x , . . . , X n 
into quantum states p^" such that any desired bit can be retrieved with a particular success probability p [2, 45]. 
This was later generalized to retrieving any subset of k bits from the encoding [6]. The goal of [6, 45] was to derive 
a bound on the necessary dimension of p^™ as a function of p when the string X n was chosen uniformly at random. 
Here, we prove dimension bounds for encoding n qubits A n = A\, . . . , A n when we desire to recover any subset of k 
qubits with a particular fidelity. Or, read in the opposite direction, we establish a bound on the fidelity as a function 
of the dimension (see Section IV C). 

Uncertainty relations Another consequence of our main result is a new uncertainty relation with quantum side 
information [9] for measurements of n qubits A n = A\, . . . , A n in randomly chosen BB84 [7] bases. Apart from the 
foundational consequences, such relations have found use in verifying the presence of entanglement [49] as well as 
in quantum cryptography (see e.g., [11]). Our result establishes the first entropic uncertainty relation with quantum 
side-information that uses a high-order entropy like the min-entropy and that is nontrivial as soon as the system 
being measured is not maximally entangled with the observer E. In other words, this shows a quantitative bound on 
the probability of successfully guessing the measurement outcome that is nontrivial as soon as R m - m (A n \E) > —n. 2 



2 The fully quantum min-entropy can be negative up to H m i n (A n |E) = 



— n if pA" e is the maximally entangled state. 
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• High-order entropic uncertainty relation for BB84 bases If X n is obtained by measuring the system A n in 
a random BB84 bases 9™, we have H m \ n (X n \EQ n ) > n ■ §7 ( Hmi "^f — where the function 7 is plotted in 
Figure 2. See Theorem 10 and Corollary 11 for precise statements. 

We also prove uncertainty relations for qudit-wise measurements in mutually unbiased bases in Theorem 12. Again, 
these results follow from our very general theorem sketched above, this time for a map M that represents randomly 
chosen measurements. 

Applications to the noisy-storage model Our new uncertainty relations have several interesting applications to 
cryptography. The goal of two-party cryptography is to enable Alice and Bob to solve tasks in cooperation even if 
they do not trust each other. A classic example of such tasks are bit commitment and oblivious transfer. Unfortu- 
nately, it has been shown that even using quantum communication, none of these tasks can be implemented securely 
without making assumptions [15, 17, 21, 40, 41, 44]. What makes such tasks more difficult than quantum key dis- 
tribution is that Alice and Bob cannot collaborate to check on any eavesdropper. Instead, each party has to fend for 
itself. 

Nevertheless, because two-party computation is such a central part of modern cryptography, one is willing to 
make assumptions on how powerful an attacker can be in order to implement them securely. Classically, such as- 
sumptions generally take the form of computational assumptions, where we assume that a particular mathematical 
problem cannot be solved in polynomial time. Here, we consider physical assumptions that can enable us to solve 
such tasks. In particular, can the sole assumption of a limited storage device lead to security [43]? This is indeed 
the case and it was shown that security can be obtained if the attacker's classical storage is limited [16, 43]. Yet, 
apart from the fact that classical storage is cheap and plentiful, assuming a limited classical storage has one rather 
crucial caveat: If the honest players need to store n classical bits to execute the protocol in the first place, any classical 
protocol can be broken if the attacker can store more than roughly n 2 bits [26]. Motivated by this unsatisfactory gap, 
it was thus suggested to assume that the attacker's quantum storage was bounded [7, 12, 18-20], or, more generally, 
noisy [37, 51, 60]. The central assumption of the noisy-storage model is that during waiting times At introduced in 
the protocol, the attacker can keep quantum information only in his noisy quantum storage device; otherwise he is 
all-powerful (see Section IV E). 

The assumption of bounded or noisy quantum storage offers significant advantages in that the proposed protocols 
do not require any quantum storage at all to be implemented by the honest parties. They are typically based on 
BB84 [37] or six-state [11] encodings, and indeed the first implementation of a bit commitment protocol has recently 
been performed experimentally [46]. So far it was known that there exist protocols that send n qubits encoded in 
either the BB84 or six-state encoding, and that are secure as long as the adversary can only store strictly less than n/2 
or 2n/3 noise-free qubits respectively. 

Using our new techniques, we are able to show security of the primitive called weak string erasure [37] (see Sec- 
tion IV E), which in turn can be supplemented with additional classical or quantum communication [64] to obtain 
primitives such as bit commitment. 

• Application 1: Bounded storage There exists a weak string erasure protocol transmitting n qubits that is secure 
as long as the adversary can store at most strictly less than n — 0(log 2 n) qubits. The protocol does not require 
any quantum memory to be executed, and merely requires simple quantum operations and measurements. 
See Theorem 15 for a precise statement. 

It should be noted that no such protocol can be secure as soon as the adversary can store n qubits, so our result 
is essentially optimal. Our result highlights the sharp contrast between the classical and the quantum bounded 
storage model and answers the main open question in the BQSM. The noisy-storage model offers an advantage over 
the case of bounded-storage not only for implementations using high-dimensional encodings such as the infinite- 
dimensional states sent in continuous variable experiments, but allows security even for arbitrarily large storage 
devices as long as the noise is large enough. 3 Essentially, the noisy-storage model captures our intuition that security 
should be linked to how much information the adversary can store in his quantum memory. The first proofs linked 



3 For information theory experts, we note that security in the noisy-storage model does not directly follow from security in the bounded-storage 
model because the entanglement cost of a channel [8] is not equal to its quantum capacity. The entanglement cost measures the number of noise 
free channels (bounded storage) needed to simulate a certain number of noisy channels, in the presence of classical communication. As such, 
it allows properties of noisy channels to be derived from properties of noiseless channels: a certain amount of noisy channels cannot be used 
to accomplish a certain task (like sending a certain number of qubits with a given fidelity) because otherwise also some number of noise free 
channels could be used by simulating the noisy ones. 
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security to the classical capacity [37], the entanglement cost [8] and finally the quantum capacity [11]. The latter 
result used a protocol based on six-state encodings. 

• Application 2: Noisy storage We significantly push the boundaries regarding when security is possible in the 
noisy-storage model (see Section IV E). Furthermore, we link security of a BB84-based protocol to the quantum 
capacity of the adversary's storage device for the first time. See Theorem 14 for a precise statement. 



II. PRELIMINARIES 



A. Basic concepts and notation 

In quantum mechanics, a system such as Alice's or Bob's labs are described mathematically by Hilbert spaces, 

denoted by A, B, C, Here, we follow the usual convention in quantum cryptography and assume that all Hilbert 

spaces are finite-dimensional. We write \A\ for the dimension of A. A system of n qudits is also denoted as A n = 
Ai,..., A n , where we also use \A\ to denote the dimension of one single qudit in A n . The set of linear operators on A 
is denoted by C (A), and we write Herm( A) and Pos(A) for the set of hermitian and positive semidefinite operators on 
A respectively. We denote the adjoint of an operator M by Aft. A quantum state pa is an operator p A € S(A), where 
S(A) = {a A € Pos(A) | Tv(a A ) = 1}- We will often make use of operator inequalities: whenever X, Y e Herm(A), 
we write X ^ Y to mean that Y — X e Pos(A). A quantum operation is given by a completely positive map 
M : C(A) -> C(C). A map M is said to be completely positive if for any system B and X e Pos(A B) we have 
(M id)(X) > (see [29] for properties of quantum channels). 

Throughout, we use the shorthand [d] = {0, 1, . . . , d — 1}. We will follow the convention to use H to denote the 
unitary that takes the computational {|0), |1)} to the Hadamard basis: H\0) = -^(|0) + \l)),H\l) = 4§(|0) - |1)). 

When considering n qubits, we also use H e " = H 01 • • • H Bn for the unitary defining the basis 6 n G {0, 1}™. 



B. Entropies 

Next to its operational interpretation given in (1), the conditional min-entropy of a state pab € S(AB) can also be 
expressed as 

H min (A|B) p = max R milL (A\B) p{(7 with U milL (A\B) p{r7 = max {A e R : 2" A • id A a B > Pab) , (3) 

"b^S(B) 

where the symbol id^ refers to the identity on A. We use the subscript p to emphasize the state pab of which we 
evaluate the min-entropy. The smoothed version is defined by H e min (A\B) p = maXp ABeB ^ PAB) R min (A\B) p , where 
B e {p) is the set of states at a distance at most e from p. We use the purified distance as the distance measure [55]. We 
refer to [54] for a review of the properties of the min-entropy. 

It is simpler to state our results in terms of the related collision entropy defined for any pab € Pos(A B) by 



H 2 (A|B) p = -logTr 



( -i/4 -V 4 Y 
[Pb PabPb ) 



(4) 



The two entropy measures H min and H 2 are closely related as shown in Lemmas 17, 18 and 19. The collision entropy 
also has an appealing operational interpretation [10] as 

R 2 (A\B) P = - log (\A\F(*%,idA ® ^ e \Apae)) 2 ) , (5) 



where F(&\, a 2 ) = Tr (-v/v^i^v^i) i s the fidelity, and A^ 8 ^, is the pretty good recovery map [4] (see Section C of 
the appendix). Finally, we use the binary entropy function h(x) = — x log x — (1 — x) log(l — x). 

For the curious reader, we note that the quantity (5) has indeed also appeared in a slightly different guise in 
the context of norms employed for the study of mixing properties of quantum channels [53]. Specifically, we have 
\\pab\\*,2 = 2- B ^ A \ B ^ with d = kIa P B X for the norm || • || CT>2 defined in [53]. 
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C. A convenient basis 



_ Throughout, we make use of a very convenient basis of maximally entangled states for the space A A where 
A ~ A. The (unnormalized) maximally entangled state 



(6) 



will play an important role in our analysis. Here, the vectors \a) label the standard basis of A. We use |<& ) AA to 



denote the normalized version \$ N ) AA = 
X and Y acting on A, we have 



/\A\ 



\$)aa- We repeatedly use the following properties. For any operators 



Tr[XY]=Tr[X®T(Y)$ AA ] 



where T denotes the transpose map in the standard basis and ® AA = \®}(&\aA- Moreover, we have 

{X®U A )\*)AA = (ttA®T{X))\*) AA . 



(7) 



(8) 



Using (7) and (8) one can naturally construct an orthogonal basis of A A by applying unitary transformations to |$) 
that are orthogonal with respect to the Hilbert-Schmidt inner product. Define for s e [|^4| 2 ], |3> s ) = (W s ® id)|$) A ^ 
where W s denote the generalized Pauli operators (see e.g., [3]), sometimes also called Weyl operators. In fact, all 
our results would hold for any unitary operators W s that are orthogonal with respect to the Hilbert-Schmidt inner 
product. We again use $ s = |<f> s )($ s |. 

In particular for | A\ = 2, Wq, W\, W2, W 3 are the Pauli operators, and we obtain the well-known Bell basis 



5>n = 



/ 1 1 \ 





V 1 1 J 



$1 



/o \ 
110 
110 

\ / 



(9) 





1-10 
0-110 





1 





-10 1 



1 



(10) 



Note that in this numbering scheme, $ 2 is the singlet. 

For n > 0, we will denote by A n the system ®" =1 A ir where each Ai is a copy of A. Furthermore, if S C {1, . . . , n}, 
we write As to denote (£) ieS M- In other words, A n consists of n copies of the system A, and As contains the copies 
that correspond to indices in S. In such a setting the dimension of the system A is denoted d. We can naturally define 
for s e [d 2 ] n , |4> s ) = ®" = i|$ S4 ),4 i A i - ^ e then have that {^=|$ s )} s is an orthonormal basis of A n A n . For such strings 
s, we denote supp(s) = {i e {1, . . . , n} : Sj ^ 0} and |s| = |supp(s)|. 



III. EVOLUTION OF H 2 UNDER GENERAL MAPS 



In this section, we derive constraints on the evolution of the conditional collision entropy H 2 when the system A n 
undergoes some transformation described by a completely positive map A4 . Our results on entanglement sampling 
and uncertainty relations are obtained by evaluating this bound for particular channels A4. A statement for the 
smooth min-entropy follows directly by applying Lemma 19. 

Theorem 1. Let Ma^^c be a completely positive map such that {{M^ o M)a™ <8> ^A")(^a^A") = J2 s e[d 2 ]" ^s^s and 
let p A n E e S(A n E) be a state, where A n = A\, . . . , A n is comprised of n qudits of dimension d. Then for any partition 
[d 2 ] n = & + U 6_ into subsets 6+ and 6_, we have 

2 -H 2 (C\E) M(p) ^ y Xs2 -H 2 (A~\E) P + (maxAs)d ™. 

see + 
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The maps M of interest typically have some symmetry. For example, if the map M is invariant under permutations 
of the n systems Ai,..., A n , then the coefficients A s only depend on the type of s, i.e., the number of times each 
symbol in [d 2 ] occurs in s. In fact, all of the examples we consider here are such that A s only depends on the weight 

\8\ = \{ie[n]: 8i ?0}\. 

Proof. Let p A n E = p E 1/4 p A ™ E p E 1/4 , and let Pa™ A™ = T^eeKpa^e T{p AnE ))§ EE ]. Note that p A n A n > and 
Tr[p AnAn ] = Tr[p|] = 1. Furthermore, let M be such that M(T(X)) = T(M(X)) for all X. Our first goal is to 
rewrite H 2 (C|.E) CT in terms of the basis {$ s } s . We obtain from (7) 

2 -n 2 (c\E )a = Tr[ M {p AnE )*] 

= Tr[(M(p A n E ) T(M(p A n E )))$ C c $> EE ] 
= Tr[(M(p A n E ) M{T(p A n E )))$ C c $ EE ] 
= Tr[(p A n E ® T(p AnE ))((M^) (M^)(<P cC ) 

Now by performing a Kraus decomposition of and using (8), we see that (id c M^)($ C c) — (M A ^^c ® 
id j 4„)($ A „^„). Thus, we obtain using the condition on M 

2 -k 2 (c\e)„ = Tr[(p A „ B T(p AnE ))((M^ o M) id^)($ A „ A -„) 
= Tr[p A „^((Xt ^) id A „)(* ABX -„)] 

= J2 KTr\p AnA n*.]. (12) 
s e[d 2 ]" 

We now prove the two key constraints on the terms Tr[p AnAn $ s ] we will be using. First, we have a global constraint. 
Note that the set of vectors { y|^| < f ) s)}se[d 2 ]" forms an orthonormal basis and thus id^n^n = J2se[d 2 ]™ This 
yields 

£ Tr[^ n $ s ] =( rTr[p^ n ]=d". (13) 

se[d 2 ]" 

The second observation concerns the individual terms Tr[p AnAn $ s ]. For any s, 

Tr[p AnAn <S> s ] = Tr{p AnAn (W s id^)$ A „^(I4^ id*,)] 
= ^[(WJp^bW. T(p Ang )) $ A „^ n 
= Tr[Wjp A nEW s ^n E )] 
S CTr[p^] = 2- H2 ^l^, 

using the Cauchy-Schwarz inequality. Also, observe that the positivity of p A n A n and $ s implies that Tr[p A „^„$ s ] > 
0. Thus, we have 

(K ^ 2- H2 < A "l^. (14) 

Applying inequalities (13) and (14) to (12), we obtain the desired result. □ 

We remark that equations (13) and (14) are the only properties of the operator p A n E that we are using. This means 
that the result would also hold for possible operators p A ™ E that do not correspond to states but still satisfy these 
conditions. 



IV. APPLICATIONS 



We now derive several interesting consequences of Theorem 1. All of these follow by making an appropriate 
choice for the map M. 



8 



A. Quantum-quantum min-entropy sampling 



1. Statement 



We now state our results on entanglement sampling. The theorem below deals with the following scenario: we 
have n qudits and we choose a subset of them of size k uniformly at random. We have a lower bound on the collision 
entropy of the whole state conditioned on some quantum side-information E; the theorem then gives a lower bound 
on the conditional collision entropy of the sample. The rate function obtained is plotted in Figure 1 together with an 
upper bound on the optimal rate function given by a particular example presented in Theorem 5. The same figure 
also shows plots of classical-quantum sampling results that are discussed in Section IV B. 



Theorem 2. Let pa™e & S(A n E) and 1 < k ^ n, let d — \ A\ be the dimension of a single system, and let h 2 
Then, we have for n > d 2 



H 2 (A"|g). 



2 -H 2 (A s |ES) f 



(15) 



where Rd(-) is the rate function defined as Rd{x) :— — log(d — df d 1 (x)), and fd(x) := h(x) + x\og(d 2 — 1) — logd. 
In terms of smooth min-entropy, we have for any e £ (0, 1] 



Rl in {A s \ES) p > kR d (h min ) - log(n 2 + 1) - log ■ 



(16) 



where h„ 



H mm (A"|g) P 



See Figure 1 for a plot of i?2(/i2)- Note that fd is an increasing function on [0, d d2 1 ] with /d(0) = — logd and 
fd (^jr^ = log d. We can thus define its inverse function ff 1 : [— log d, log d] —> [0, ^js^]. 



Rate function 
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FIG. 1: Plot of our quantum-quantum rate function Ri^h-i) from Theorem 2 ( ), our classical-quantum rate function C%{hi) 

from Theorem 6 ( ), Wullschleger's min-entropy sampling result [63, Corollary 1] ( — ), Vadhan's purely classical min-entropy 

sampling results [59, Lemma 6.2] (- -), and the classical and quantum upper bounds we get from a state that is uniform on 

strings of a fixed type analyzed in Theorems 5 and 8 ( , - - ). As Vadhan's result requires a choice of parameters we chose 

t = 0.1, which yields a lower bound on the smooth min-entropy, with smoothing parameter of the order of 10 -6 for a block size 
of n = 10000. 
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Proof. We start by observing that (15) directly implies (16). This follows from the fact that h 2 > h min (Lemma 17) and 
Lemma 19. 

We now prove (15) by applying Theorem 1 for an appropriately chosen map M. Define M A n^ A k S {X) = 
fev J2sc[ n ] \s\=k Trs=[^] |<5)(5|, for X e C(A n ), where the second register contains a classical description of 



the set S, and S c denotes the complement of S in [n] . The reason for this normalization will be clear in the following 
calculation. Our first task is to relate this map to the task of sampling entanglement. We have 



2 -H 2 (A k S\E) M(p) = Tr 



Tr 



{p E 1/A {M®mp A -E)p E lli )' 



V \yJKk) \ s \= k 



E®\S)(S\\p E 



1/4 



E SC[n],|S|=fc Tr 



[P E PAsEPe 



-K 2 (A s \ES) p 



where for the last equality we used the expression for the entropy conditioned on the classical system S (Lemma 23). 
Note that in the second line above, we slightly abused notation and identified A k with the spaces A s for different 
values of S. 

Our second task is to show that our choice of map satisfies the conditions of Theorem 1. We have 



((M t oM)®id y i„)($ 



A" A 71 



(-^Eiwi®*^ 

\y{k) \s\=k 



' id. 



(n\ E ®A S A S 
™) \ S \=k 



id 



AscAc 



We now write this operator in terms of {$ s }se[d 2 ] n - Recall that {y=| ( f > ;s )}s forms an orthonormal basis and thus 

((MioM)®id An )($ AnAn ) = -^Yl E ^ 

\k) |S| = fc s:sup p( s )CS= 

f n — \s\ 



As a result, the coefficients A s from Theorem 1 are A s 



d n-k {l) 

_ m 



E 



s:|s|^n — k 



. Observe that A s only depends on \s\ and is a 



decreasing function of \s\. In order to apply Theorem 1, it is natural to choose the partition & + U 6_ of the form 

6 + = {s e [d 2 ] n : \s\ < £q} and 6_ ={se [d 2 ] n : \s\ > £ } for a value of £q € {0, . . . , n} to be chosen as a function of 

Writing equation (11) in our case we obtain, 



2-h 2 (a s \es) p < v k ) 
e=o a 



(d 2 - iy2- h * n + K k ' d k 

\k) 



(17) 



Now all that remains is to optimize over £ and to find a simple expression for this quantity. Before choosing £ 0/ we 
simplify the expression above. For the second term, we bound 

( k )_ d k < fn-io- l\ Ak 



(I) 



d K . 



To obtain a simple bound on the first term, we use the following lemma, which is proven in the appendix. 
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Lemma 3. For any t Q e {0, . . . , n} such that £ < ^~^~ n where d 2 < n, we have 



1=0 

It then follows from equation (17) that 



2-^\es )p ^ max ('" I) 1 ,r ( 2 'j'Vf " ),F I I ) . 



We now determine the value of £q as a function of h 2 . Observe that using Lemma 25, we have (™) (eP — I) 1 



2 nh(e a /n)( d 2 _ x y = 2 nfd(t /n) d n prov id e d £ < ' L ar n - w e define £ to be the largest integer that is at most ^ 
such that fd{Zo/n) ^ /i 2 . As a result, we have 



2 -U 2 (A s \ES) p ^ max ( n t_0 1 1 \ * d k , 2 + ^ (18) 

\ n a 2 J 

Observe also that in the case where the maximum is 1/d 2 , the result follows directly as Rd{hi) < log d. In the case 
where {n-£ -l)/n > 1/d 2 , we observe that (£ +l)/n > fj 1 ^) by our choice of £ . Note that if £ Q + l < (d 2 ~l)/d 2 -n, 
this follows from the fact that / d is nondecreasing, and otherwise it follows from the fact that by definition f^ 1 is 
always upper bounded by (d 2 — l)/d 2 . 

We now write in terms of the entropy rate h 2 : 

fclog [ — — — ] = fclog [1 — ^ 

V « / V 71 

oioga-/,- 1 ^)) 

= fclog(rf-d/- 1 (/i 2 ))-fclogd 
= -kR d (h 2 ) - klogd. 

By plugging these inequalities into (18), we obtain the desired result. □ 



2. An upper bound on the rate function 

Note that the rate function obtained in Theorem 2 is independent of the state pae and of the size of the sample k. 
The objective of this section is to show that with such a requirement, the rate function R d cannot be improved too 
much especially when hi is close to the minimal value of — log d. 

Definition 4. We define the optimal rate function R d pt as 

R d pt (h 2 ):=limmil min yH 2 (A s \ES) p ) , 

n>l \ke[n],p A n E such that ±H 2 (A n \E)^h 2 k J 

where A n = A\, . . . , A n is comprised ofn qudits of dimension d. 

We now derive an upper bound on the rate function that will show that our result is fairly close to optimal for 
small h 2 and small k. The idea is to choose a state that consists of n EPR pairs that have been corrupted by a fixed- 
weight generalized Pauli error. In this case, if this weight is small enough, the sample will avoid all the errors with 
relatively large probability and the collision entropy of the sampling is going to be much smaller than kh 2 . 

Theorem 5. It holds that Rf\h 2 ) ^ - log(d - 2df- 1 (h 2 )). 
Proof. Let E = B n = A n , and consider the state 



«... -!)•)"' e £ 

s,\s\=w 
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for some particular w. This is a maximally entangled state between A n and B n that has been corrupted by a random 
error of weight exactly w. We can compute its collision entropy 



2 -h 2W ), = TVlp-VWp^Wfl-] 



-V2, 



(d 2 -irj ^ Tr[id^] 

s,|s|=iu 

(d 2 - 1)™) d" 



^ 2^—nh(w/n) — w \og(d 2 — l)+n log d+log n 

Hence, /i 2 ^ fd(w/n) - ± logn. 

Now, let us compute the collision entropy for a random subsystem of size k with | -> 0. Note that we have 



se[d 2 ] s 



where er e [d 2 ] n is a random string of weight exactly w, and a s is the substring index by elements of S. Then we 
have 



Tr 



/4 



r 1 S B"P B " /4 ) = Pr{cr s = s}Pr{(7s = s'} 

= rf fe Pr{ ( r s = ^}. 



M Tr[$ s $ s 



Thus, we want to evaluate the average over S of this probability. For any fixed a and a' of weight w and choosing a 
random subset of size k, the corresponding substrings will be the same if they avoid all positions where a or a' are 
non-zero. As a result the collision probability for the sample is at least 



n — 2w n — 2w — k + 1 
n n — k+1 



-k-2i 



1 - 2 



nJ \n — k 



>(l-2/-(fc + I logn) 



Taking the limit over n -> oo and ^ -> 0, we get that 



2 -H 2 (A s |B) ^ ( d (l_ 2 / d - 1 (/ i2 ))) fc . 



This directly yields the theorem. 



□ 



3. Applications of entanglement sampling 

An immediate consequence of our result on entanglement sampling concerns the existence of decouplers (QQ- 
extractors) using only very few qubits. A decoupling operation is some process JCa^b that applied to the A system 
transforms pae to a state that is close to t b pe, where t b is a state that depends only on the map JC but not 
on the initial state pae- hi quantum information theory, such processes typically consist of applying a random 
unitary U to A, followed by a map Ta-^b such as the partial trace operation. That is, the map JC is of the form 
JC(pa) = J cIp(U)Ta^b(V PaU^) ® \U)(U\, where \U) is a classical register containing the choice of unitary. 

Decoupling theorems in quantum information theory have their origin in quantum channel coding [1, 30, 32] 
where T is usually the partial trace, and t b = id/|B|. In this context, the size of the system \B\ that one can decouple 
from E, can be related to the number of qubits that one can pass through a quantum channel whose environment is 
E with vanishing error. In this context, the choice of unitary U yields an encoding scheme (see [24] for details). More 
recently, the decoupling theorem has been generalized to a wide variety of maps T [24, 25]. 

Decoupling results are known when the unitaries are chosen from the Haar measure [1, 24, 25, 30], from a 2-design, 
from an approximate 2-design [52], or from even more efficient sets of unitaries [13]. In contrast, when A is classical, 
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many decoupling operations are known in the form of randomness extractors discussed in the introduction (see [58] 
for a survey). Of particular interest in both computational [30] and physical applications [22, 23, 31, 33] are unitaries 
which are efficient. In a computational setting, this generally refers to unitaries that can be implemented using 
low-depth quantum circuits, whereas in physical scenarios it is usually of interest that they arise from Hamiltonians 
involving only nearest neighbour interactions over a short period of time. 

As an example of the physical relevance of decoupling theorems, let us consider the case where A is comprised 
of a system A sys and a bath A hath , and T = Tr j4bath is the operation that traces out the bath. A decoupling theorem 
for certain classes of unitaries then says that for very many unitaries in that set, the resulting state of the system 
tb is independent of its initial state, one of the steps considered in the process of thermalization [39]. That is, it 
tells us that certain evolutions of the system and the bath, namely those corresponding to such unitaries, can lead 
to thermalization. This holds even in the stronger sense of relative thermalization where one requires that the state 
of the system becomes independent of an observer holding E [23]. In fact, the decoupling theorem [25] for Haar 
measure random unitaries can even be used [33] to recover the results of [48] stating that for most initial states of A, 
or equivalently most unitary evolutions on A, the resulting state is close to the canonical state. 

As such, it is an interesting question to determine which sets of unitaries lead to a decoupling theorem. Here, our 
goal is to show that if A™ = A\,...,A n consists of n qudits, then there exist decoupling operations involving only 
a (small) subset of such qudits. As outlined in the introduction, one generic way to accomplish this task is to show 
that the fully quantum min-entropy can be sampled. Decoupling operations involving only few qudits can then be 
obtained in a "sample-then-decouple" fashion similar to the classical "sample-then-extract" approach of [59]. That 
is, one first samples a set of qubits, and then applies an arbitrary decoupling operation on the resulting sample. 

Our result extends to any of the more modern decoupling theorems involving entropy measures [24, 25]. 4 To 
illustrate this idea, let us consider the example of A n = Ax, . . . , A n consisting of n qubits, unitaries chosen from the 
Haar measure, and T being the partial trace operation Tr„_ r (/u) tracing out all but r of the n qubits. In terms of the 
H 2 entropy is was shown [24, 25] that 



d(U) 



Tr„_ r ®\& e {pae) - 2T ® Pe 



<; 2 -5( H 2(^|£)+n-2r) j (19) 



where \\p — <t||i is the trace distance of p and a. If we now first sample a subset of size k of the qubits, then our 
sampling result states that for unitaries chosen according to the Haar measure of qubits 



/ 



d(U) 



Tr| S |_ r ®id E (p AES ) - ^ pes 



<2 -i[|S|(*(a^a)-l)- a r- ] o.(n- + l)] ; (2Q) 



for the rate function given in Theorem 2. Similarly, our sampling result can be applied to the special kinds of 
decoupling maps known as quantum-to-classical randomness extractors [11]. In this context, sampling allows the 
generation of classical randomness from a quantum system 5 by applying measurements to only a few of the qubits 
of A. 



B. Classical-quantum min-entropy sampling 

1. Statement 

Observe that in the case where the system A n is classical, i.e., pa™e = J2 x n e[d] n P( xn )\ xn )( xn \ ® PE{x n ) for some 
distribution p and states pe{x u ), Theorem 2 can still be applied but in many cases it give trivial bounds. In fact, 
when A n is classical, we have K 2 (A n \E) ^ as well as H.2(As\ES) > 0. In order to improve on the lower bound 
of Theorem 2 in the case of a classical system, we can apply Theorem 1 to a more specific map A4 that measures the 
systems A s that are sampled. This allows us to obtain a lower bound on the collision entropy H 2 (A S \ES) that is 
nontrivial for the entire range H 2 (A n |i?) e [0, n log d]. 

Unlike the fully quantum case about which not much was known, the classical-quantum min-entropy sampling 
has been previously studied in particular in [6, 38, 63]. We briefly highlight the similarities and differences with 
our results in Theorem 6. The work of [6] is restricted to the case where A n is uniformly distributed and obtains 



4 In contrast to statements involving only the dimensions of systems as in e.g., [1]. 

5 Of which we only have a guarantee about the entropy. 
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a lower bound on the non-smoothed min-entropy 6 of the sample as a function of the dimension of the system E 
rather than the conditional entropy. This special case is particularly interesting in the context of random access 
codes. The parameters they obtain are better when the dimension of E is small, i.e., h 2 is large. However, their 
techniques fail to give a nontrivial bound when h 2 is small. See Section IV C for more details. The sampling theorem 
of [63] works for general classical-quantum states and gives a lower bound on the non-smoothed min-entropy of 
the sample. The parameters are illustrated in Figure 1. The work of [38] considers the general classical-quantum 
case and focuses on the smoothed min-entropy. This result extends Vadhan's classical min-entropy sampling [59] 
result to the case of quantum side information. Hiding technicalities (like the fact one should sample blocks rather 
than bits) and neglecting terms that depend on the smoothing parameters, the rate function they obtain is basically 
optimal R(a) = a, 7 as the plot of Vadhan's result in Figure 1. 

Our sampling result has an application to randomness extraction, in that it yields a general way to construct 
locally computable extractors even with respect to quantum side information E. This is analogous to the application 
of entanglement sampling to decoupling discussed above. 

Theorem 6. Let p A -n E be a classical-quantum state, and 1 < k < n, let d = \A\, and let h 2 2 n — ■ Then, for any 
n > d, 

2 --H 2 (A s \ES) p = E 2 -n 2 (A s \E) p < 2 -feC £i (/ l2 )+log(r l 2 + l) 

where C d (-) is the rate function defined as C d (a) := — log(l — c d 1 (a)), and c d (a) := h(a) + a log(rf — 1). In terms of smooth 
min-entropy, we have for any e £ (0, 1] 

R £ min (A s \ES) p > kC d (h min ) - log(n 2 + 1) - log ^, (21) 

where h min := H """ ( f 

See Figure 1 for a plot of C'2(h 2 ). Note that c d is an increasing function on [0, ^=^] with c d (0) = and c d (^p) = 
log d. The inverse function c^ 1 : [0, log d] -> [0, ^p] is therefore well-defined. 

Proof. The proof is very similar to that of Theorem 2: one uses Theorem 1 with M.A"-tA*>s{X) = 
y^£sc[n],|S|=fc£x*e[d]s (x k \Tr S c[X}\x k ) ® ^(^l \S)(S\, where {\x k )} xke[d] s is the standard basis of A s . We 

then find that 

\k) \s\=k \ x k / 

Recall that we want to write this operator in terms of <fr s = (W s id)^^^^^ (Wj id), where W s — W Sl • • • W s n is 
a product of generalized Pauli operators. Let us now assume that the numbering of the Pauli operators is such that 
W , ... , W d _i are defined as W y \x) = e 2 ™ x y/ d \x) for all x, y £ [d\. It then follows that 

^E*. = ^E E e^-*'M d \x)(x'\®\x)(x'\ 

yG[d] y£[d]x,x'e[d] 



E \x)(x\a ® \x)(x\ A . 



As a result, we can write 



((MioM)®id An )($ AnAn ) = -i- e E 

\k) a | S |=fc se[d 2]n 

sie[d],ies 



= T ( n -\ 8 \<A$ 



6 The fact that the min-entropy is non-smoothed is important for the application to random access codes. 

7 To obtain such a result, smoothing is in fact necessary as shown by the example of Theorem 8. 
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where |s|«j = \{i e [n] : e As a result, the coefficients A s from Theorem 1 are A s = v k , n , ' , which only 

\k) 

depends on |s|<d and is a decreasing function of |s|<d- As before, it is natural to choose the partition (5+ U 6_ from 
Theorem 1 of the form 6+ = {s e [d 2 ] n : \s\ <d sC £ } and 6_ = {s e [d 2 ] n : \s\ <d > £ } for a value of £ e {0,...,n} 
to be chosen as a function of h 2 . We then have 

( n ~ e ) /n\ (n-e -l\ 



*o in— 1\ / \ 

2 -h 2 (As\es) p ^ y Lk)( n )r# - d) l d n - l T h - n + 



...... ( n ) 

£=0 \kJ ^ -/ \kJ 

<^£(":*V-i)«+(=^Y. w 



To obtain a simple bound on the first term, we use the same Lemma 3 as in the proof of Theorem 2 replacing d 2 by d. 
Equation (22) then becomes 



2 -K 2 (As\ES) p ^ max ^-lo-l ; l^J * ^-^2 (d _ 1)<0 + ^ 

We now determine the value of £q as a function of h 2 . Observe that using Lemma 25, we have (i)(d 2 — l) e ° < 
2 nh(e /n)( d _ iy a = 2 nc d (i„/n) prov id e d £ ^ ^n. We define £ to be the largest integer that is at most such 
that Cd{£o/n) ^ /i 2 . As a result, we have 

2 -Ws\es )p ^ max ( n-e Q -i i\ k , 2 + , 

\ n d J 

If the maximum is 1/d, then we directly get the desired result. Now we use the maximality of £ to say that (£ + 

l)/n > c^{h 2 ). Finally, 

n-£ -l\ A £ + l 



fclog ^ — — — — = fclog ^1 



n 

^klog(l -c^(h 2 )) 
= -kC d (h 2 ). 

By plugging these inequalities into (23), we obtain the desired result. □ 



2. An upper bound on the classical rate function 

Like in the quantum case, one can find an upper bound for the rate function. Here, our upper bound will even 
hold for non-conditional entropy (i.e., when E is trivial). 

Definition 7. We define the optimal classical rate function C^ pt as 

C° pt (h 2 ) := liminf ( min ^H 2 (Xs\ES)A , 

™>1 \ke[n],p x n. E such that i [ H 2 (X"\E)^h 2 K J 

where X n = X\, . . . , X n is comprised of n dits of dimension d. 

We will now derive an upper bound on the rate function that will show that our result is fairly close to optimal for 
small h 2 and small fc. We will derive our upper bound by considering the uniform distribution over strings of fixed 
Hamming weight. As in the fully quantum case, it will turn out that distributions of small Hamming weight still 
have a relatively high h 2 compared to the probability of getting a in the sample, and this yields an average entropy 
for the sample that is much lower than kh 2 . 



Theorem 8. It holds that C° pt (h 2 ) ^ - log(l - 2c~ 1 (/i 2 )). 
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Proof. Let E be trivial, and consider the state 

Px™ = \{s,\s\ = w}\~ 1 \ s )( s \ 

s.\s\—w 

for some particular w. We can compute its collision entropy: 

Tt[A„] = i{».M = »}r' 

^- 2~ nh(w/n) — w log(d— l)+logn 

Hence, /i 2 ^ c d (w/n) - \ logn. 

Now, let us compute the collision entropy of the sample when - — > 0. Fix a pair of strings s and s' with weight w. 
Choosing a random subset of size k, the corresponding substrings will be the same if they avoid all positions where 
s or s' are non-zero. As a result the collision probability for the sampled substring is at least 




Taking the limit over n -> oo and £ — > 0, we get that 

2 -H 2 (A s |B) ^ ( 1 _ 2c - 1 (/l 2 )) fe . 

This directly yields the theorem. 

□ 

C. Dimension bounds for random access codes 

One application of our sampling results is to bound the dimension of quantum random access codes. To translate 
a result about min-entropy sampling into a result concerning random access codes, one simply considers the system 
E to be composed of m bits or qubits and then considers the special case of a uniform distribution onli... X n . That 
is, the state px™E is of the form 

Px-e = ^ £ \x n )(x n \®p% n . (24) 
x™e{o,i}" 

The quantity of interest when studying a random access encoding of a classical string X n is the minimal dimension 
of E needed to recover any subset of size k of the bits with some desired probability p. Recall the operational 
interpretation of the conditional min-entropy H min (X S \E 'S) as the best probability for guessing the bitstring Xs 
when having access to the system E. Thus, a lower bound on the min-entropy H min (Xs \ ES) directly gives an upper 
bound on the probability of successfully recovering a randomly chosen system S of size k. The latter is exactly the 
success probability of fc-out-of-n random access code as defined in [6]. 

More precisely, using Lemma 18, Theorem 6 directly leads to a lower bound on the success probability p of fc- 
out-of-n using m qubits p ^ v / 2-fcC d (i-m/n)+iog(n 2 +i)^ Compared to [6], this bound is better when m is close to 
n. Specifically, when m/n > 0.721, the technique of [6] does not give any probability bound. On the other hand, 
when m/n becomes smaller, their probability bound becomes smaller, fc-out-of-n random access codes have also 
been studied in [63] and nontrivial upper bounds on the success probabilities are obtained for all values of m. The 
exponent of the success probability is illustrated in Figure 1 (note that the plot for C'd should be divided by two to 
interpret it as a guessing probability). 
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One could similarly define fully quantum random access codes. In this setting, we want to store n qudits 
A\ , . . . , A n of information into m qudits so that a subset of k qudits chosen at random can be recovered. Given 
n and m, one can define the maximum average fidelity -F„ „ l fc with which k qudits can be recovered. As before, 
our goal will be to bound the dimension necessary to achieve a desired fidelity, or equivalently, establish an upper 
bound on the achievable fidelity as a function of the dimension. 

Theorem 9. Let n > d 2 . For any m^n and 1 < k < n 

p 2 < r,-ife(_R d (-^ logd)+logd) + i log(n 2 + l) 

Proof. Let A n be the system containing the n qudits to be stored and E be the m qudits of storage. Then, for any 
Pa^e, we have H 2 (A™|£) > — mlogd. Using Theorem 2 and Lemma 17, we have 

2 -H min (A s |^). =]E ^ Wi|s|=fe2 -H min (A s | E ) p 

^ 2-h{ kR d{-^ logd)-log(ri 2 +l)-fclogd) 
< 2 -|fe(-R<i(-f logd)-logd) + | log(n 2 + l), 



where oa^es = Pa^e <8> with S representing the choice of subset of k qudits we want to recover. Now observe 

that2- H ""''( As l i^ ' s, ) = 2 fcl °s d max £ES ^ s F($% sA , ,id As ®£(p ES )) 2 . The fidelity term is exactly the maximum fidelity 
with which the state on A s can be recovered from the system E. □ 

D. High-order uncertainty relations against quantum side-information 

Uncertainty relations play a fundamental role in quantum information and in particular in quantum cryptography. 
Many of the modern security proofs for quantum key distribution are based on an uncertainty relation [9, 56, 57]. 
They are also at the heart of security proofs in the bounded quantum storage model [11, 18, 19]. An uncertainty 
relation is a statement about a guaranteed uncertainty in the outcome of a measurement in a randomly chosen basis. 
We refer the reader to [61] for a survey on uncertainty relations. 

1. Uncertainty relation for BB84 measurements 

Specifically, here we consider a system A n of n qubits. Then we measure each one of these qubits in either the stan- 
dard basis (labeled with vector |0), |1)) or the Hadamard basis (labeled 1 with vectors |+) = (|0) + |l))/\/2, |— ) = 
(|0) — 11))/-^)- More precisely, choose a random vector 6™ e {0, 1}" and measure qubit i in the basis specified 
by the i-th component of 0™ = Gi, . . . , Q n . Call the outcome Xj. An uncertainty relation is a statement about the 
amount of uncertainty in the random variable X n = X\, . . . , X n given the knowledge of the basis choice 6". The 
uncertainty is often measured in terms of the Shannon entropy. However, for the applications we consider here, the 
measure of uncertainty needs to be stronger, i.e., we should use a higher order entropy like H min or H 2 . Such an 
uncertainty relation has been established in [18]: 

Hl in (X n \G n ) > n/2. (25) 

The way this uncertainty relation was used in the context of the bounded storage model was to apply a chain rule 
to (25) to obtain W ra{ri (X n \EQ n ) k, n/2 — log \E\. There are two reasons for this inequality to be unsatisfactory: it 
depends on the dimension of E rather than on the correlations between A n and E, and it becomes trivial when 
B 2 (A n \E) < -n/2 as this implies log \E\ > n/2. 

It is simple to see that if the system A n is maximally entangled with some system E, then the outcome X n of 
this measurement can be perfectly predicted by having access to E. In other words, if the conditional entropy 
K2(A n \E) = —n, then X n can be correctly guessed with probability 1. The following theorem provides a converse: 
if B. 2 (A n \E) ^ -(1 - e)n for e > 0, then X n cannot be guessed with probability better than 2~ nS ^ with 8(e) > 
whenever e > 0. 
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FIG. 2: Plot of the function 7(^2) ( ) from Theorem 10 giving a lower bound on the uncertainty of the outcome of BB84 

measurement as a function of the entropy rate hi of the state being measured. For measurements in the six-state bases, the 

uncertainty rate function we obtain in Theorem 12 is 72(^2) ( )■ For comparison, we also plot the uncertainty rate function 

proved in [11] ( ). 



H { A n I E} 

Theorem 10. Let pa^ e € S(A n E) where A n is an n-qubit space and define h 2 = 2 — p ■ Then we have 

R 2 (X n \Ee n ) p ^ ni (h 2 )-l 

where p x ^EB n — ^ Ei»e{n 1}" e™e{o 1}" \x n )(x n \(x n \H e " pa^eH 6 " \x n ) ® \9 n )(9 n \ is the state obtained when system A r ' 
is measured in the basis defined in the register 9" and the function 7 is defined by 



7(^2 



h 2 ifh 2 ^ 1/2 

g~\h 2 ) ifh 2 < 1/2. 



with g(a) — h(a) + a — 1. 

Proof. We apply Theorem 1 with Ma<^x™b 
We have 

2 -H 2 (x"e"|i?) A4(p) = Tr 



where Af(p) = ^ Exe{o,i},0e{o,i} 
(p E 1/ \N® n ®- v \){pA~ E )p\ 



<g> \x)(x\(x\H e pH e \x). 



= 7T Y Tr 

2" ' 
0"e{o,i}'* 

_ 2-' li 2{x"\Ee n ) p 



Pe 1/4 E \0 n )(0 n \®W l )(x n \(x n \H en p A ~EH en \x n )p E 

a;"e{0,l}" 



1/4 



where in the last line we used the expression for the entropy conditioned on a classical system (Lemma 23). 
We then evaluate the state 



(A/" f o7V® id)($) = i (|00)(00| + |11)(11| 
= \ ( *o + + 



-){- 



where are defined in Equations (9) and (10). 8 In the notation of Theorem 1, we have for the map Ai and for 
s G {0, 1, 3}™, A s = 7^- • For s ^ {0, 1, 3}", X s = 0. As a result, when applying Theorem 1, it is natural to choose 
the partition 6+ U 6_ of the form 6+ = {s e [d 2 ] n : \s\ < £ Q } and ©_ = {s £ [d 2 ] n : \s\ > £ Q } for a value of 
£0 € {0, . . . , n} to be chosen as a function of h 2 . We obtain for any £ 



(26) 



Note that $2 is the projector on the anti-symmetric subspace and hence cannot appear in this decomposition. 
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where 5i Q < n -i = 1 if £ < n — 1 and if £ a — n. If h 2 > 1/2, let £ — n, in which case we obtain a bound of 

2-H 2 (x"|Ee") p ^ 2~ h2n 

If fe 2 < 1/2, then we are going to choose £ < n/2. Define the function g(a) = h(a) + a - 1 and let a ^ 1/2 be such 
that g(a a ) = h 2 . We then choose £q = la Q n\ . As a result, 

to / 
1=0 



2"Ci(o!o) — ^2 — 1) _ 2"( _ Ct + l + h 2 — h 2 — l) _ 2^ "0" 



where the first inequality is due to Lemma 25. In addition, we have 2 e ° 1 ^ 2 a °". Using these bounds in (26), we 
obtain in this case 

2-H 2 (X"|£e™) p ^ 2-aon+l 

Taking the logarithm leads to the desired result. □ 

The following corollary expresses the uncertainty relation described in Theorem 10 in terms of min-entropies, 
which will be more convenient for the cryptographic applications. 

Corollary 11. Using the same notation as in Theorem 10, we have 

R min (X n \EQ n ) p > l -( ni (h 2 ) - 1) (27) 
>\{ni(h min )-l). (28) 

where h min — Hmin ^ Moreover, for any e e (0, 1], we have 

Hl in (X n \EQ n ) p ^ ni (h 2 ) - 1 - log J,. (29) 

Proof. To obtain (27), observe that U min {X n \E<d n ) p > \R 2 (X n \EQ n ) p , using Lemma 18. To replace h 2 by h min , we 
use the corresponding lower bound in Lemma 17. To obtain (29), we use Lemma 19. □ 

2. Uncertainty relation for measurements in MUBs 

Consider a system A n of n qudits and consider a full set of d+1 mutually unbiased bases (MUBs) in dimension d. A 
set of bases are said to be mutually unbiased if for any pair of vectors \v) , \ w) in two different bases, we have | (v \ w) | = 
dr 1 / 2 . We then measure each one of these qudits in a randomly chosen basis from this set. More precisely, choose a 
random vector O™ e [d + 1]" and measure qudit i in the basis specified by the i-th component of 0™. Let Uq™ be the 
unitary that transforms the basis 9 n into the standard basis. We prove an uncertainty relation for these measurements 
in the presence of quantum side information. Previously, uncertainty relations for these measurements taking into 
account possible quantum side information were proven in [11]. The main improvement here is that the uncertainty 
lower bound is nontrivial for any h 2 > — logd. Specifically, for entropy rates h 2 < — (log(rf + 1) — 1), this theorem 
provides the first nontrivial uncertainty rates for single-qudit measurements in MUBs. However, when h 2 is close to 
0, the bound of [11] is better than the one provided here. See Figure 2 for a comparison. 

Theorem 12. Let pa™ e € S(A n E) where A n is an n-qudit space and define h 2 = IMAJiElp^ Then we have 

R 2 (X n \EQ n ) p > n ld {h 2 ) - 1, 

where px»Ee n — ^xe[d] n e™e[d+i]« \x){x\{x\Uenp A n E ul n \x) \6 n )(9 n \ is the state obtained when system A n is 

measured in the basis defined in the register 9" and 



ld{h 2 ) 



h 2 ifh 2 >^log(d+l) 



ff\h 2 ) ifh 2 <^log(d + l) 
with fd{a) — h(a) + a log(d 2 - 1) - log d defined as in Theorem 2. 
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Proof. We apply Theorem 1 with M A »->jr»e» - AA®" where 7V(p) - ^= Exe[<fl,fle[d+i] l >< l ® kX^K^I^P^k). 
Analogous to the proof of Theorem 10, it is simple to see that 2- H2 ( x " e "l B Wp> = 2- H2 ( x "1 B0r *)p. We have in this 



case 



((A^t oAA) id)($) = ^- l E (x\U e \i)(j\U%\x) Ul\x){x\u e |i)01 

ee[d+i],xe[d],*,je[d] 

= E ul\x){ x \u e ® E (^^|i)01^V)K)01 

= E ^><^®T(^|x}(x|[/ ), 

ee[d+i],x€H 

where $ is the unnormalized maximally entangled state across two qudits, and T denotes the transpose with respect 
to the standard basis. Now we use the fact that the states {Ud\x)}s e [d+i].xe[d} form a state two-design [35]: 

E ul\x)(x\Ue®ul\x)(x\Ue = id AA + 
ee[d+i],xe[d] 

where F AA denotes the swap operator F = J2 X x 'e[d] \ x )( x '\ ® \ x> ) ( x \ - As ® ~0(F) = $, we have 

(TV T o 7v ® id) ($) = = ; 1 J - = - $o H 

v d + 1 d + 1 d(d + l) V rf + 1 

This means that for the n-fold tensor product = A/" 181 ™, we have using the notation of Theorem 1 that A s = 
d^Jd+TjM f° r a ^ s e [d 2 ]™. As a result, when applying Theorem 1, it is natural to choose the partition & + U 6_ of 
the form 6+ = {s e [d 2 ]™ : |s| < 4} and 6_ = {s e [d 2 ]™ : |s| > £ } for a value of £ e {0, ... , n} to be chosen as a 
function of /i 2 . We obtain for any £ , 

in / 

n 



2 -H 2 (X"|Se") p < £ " (d 2 - l)<2- fc »»(d + lj-'d"" + (d + l)-'''- 1 */,,^,,-! 

£ ° / \ 

= E U ( rf - l)V"^-" lo s d + (d + l)"^- 1 ^^^!, (30) 



£=0 



where <^ < n -i = 1 if ^ n — 1 and otherwise. If /i 2 > log(d + 1), let £ = n, in which case we obtain a bound 
of 



n , s 

2 -H 2 (x"|_Ee") p ^ j n )(d- i)^2 _ " /l2_rilog ' i = 2~ h2n 



If h 2 < ^ log(d + 1), then we are going to choose £ < Note that fd(^) = ^ log(d + 1). As h 2 < 

log(d + 1) and f d is nondecreasing on [0, (d — 1) /d], we can find a < (d — l)/d be such that /<j(a ) = /i 2 - We then 
choose = [aon\ . As a result, 



E(")(d-i)Vfc- 

£=0 w 



(logd)n ^ 2 n C l (^o/ n )+^o/ rl l°g( rf— — "Ci2+log d)) 

2«Ci(ao)+ao log(d— 1) — h 2 — log d) 
_ 2™(-"o log(d+l)+logd+/i 2 -ft2-log(i) _ ^ _|_ ^j-aon 

where the first inequality is due to Lemma 25. In addition, we have (d + l) _£o_1 < (d + l)- Q o". Using these bounds 
in (26), we obtain in this case 

2 -H 2 (x"|£;e") p ^ 2(d+ l)" aon . 
Taking the logarithm leads to the desired result. □ 
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The following corollary expresses the uncertainty relation described in Theorem 12 in terms of min-entropies. The 
proof is the same as Corollary 11. 

Corollary 13. Using the same notation as in Theorem 12, we have 

R min (X n \E& n ) P > \ {nid{h 2 ) - 1) (31) 

> \ (n ld (h min ) - 1) . (32) 
where h min = Hmin ^l £ ^ , Moreover, for any e e (0, 1], we have 

W min (X n \EQ n ) p > n ld {h 2 ) - 1 - log A. (33) 

E. Security in the noisy-storage model 

1. General noisy storage model 

We now use our new uncertainty relations to prove that the primitive weak string erasure can be secure as soon as 
one of the parties has a memory that cannot reliably store n qubits. In weak string erasure, the objective is to generate 
a string X n such that Alice holds X n and Bob holds a random subset / C [n] and the bits Xj of X n corresponding 
to the indices in I. Randomly chosen here means that each index i e [n] has probability 1/2 of being in I. The 
security criterion is that at the end of the protocol, a cheating Bob should have a state satisfying H min (Jf™|_B) ^ An 
where B represents Bob's system, and a cheating Alice should not learn anything about I. To summarize all relevant 
parameters, we speak of an (n, A)-WSE scheme and refer to [37] for a definition 9 . It is proved in [37] that bit 
commitment can be implemented using weak string erasure and classical communication. 

Protocol. The protocol we use here is the same as the one of [37]. Alice prepares a random string X n e {0, 1}™ and 
encodes each bit X; t in either the standard basis 0, = or the Hadamard basis 0, = 1, each with probability 1/2. 
Then Bob measures these qubits in randomly chosen bases - . After the waiting time, Alice reveals both X n and n . 
The set I is defined by / = {i : 0, = 0^}. For a more detailed description of the protocol, we refer the reader to [37]. 

To state the result, we first define the notion of channel fidelity introduced by [5] which is perhaps the most widely 
used quantity to measure how good a channel is at sending quantum information. For a channel N : S(Q) -> S(Q ), 
the channel fidelity F c quantifies how well N preserves entanglement with a reference: 

F C (N) = F{*» A , [TV id A ] (34) 

where §q A is a normalized maximally entangled state. For example, one way of defining the (one-shot) quantum 
capacity with free classical forward communication of a channel T B ^c is by the maximum of log \Q\ over all encod- 
ings £ : S(Q) -> S(B M) and decodings V : S(C M) -> S(Q') such that F C (V o id M ) ° £) > 1 - e for small 
enough e. Here idAf refers to a noiseless classical channel. 

The following theorem states that as soon as the storage device of Bob cannot send quantum information with 
reliability better than 7], then we can perform two-party computation securely provided 77 ^ 2~ 5n for any 5 > 0. One 
can even obtain security when 77 < 2~ c ( log "+ lo s ™ 1 °s( 1 /e)) f or some large enough constant c. Previously, this was only 
known when ry < 2-( 2 - lo s 3 > 1 [11]. 

Theorem 14. Let Bob's storage device be given by T : S(H in ) -> S(B), and let rj G (0, 1). Assume that we have 

maxF c (V o (T ® id M ) o £) 2 ^ 77 (35) 

where the maximum is over all quantum channels £ : S ((C 2 )® 11 ) -> S(H m M) and V : S{B M) S((<C 2 )® n ). 
Then, the protocol described above implements a (n, X)-WSEfor 

A=^7(-l + log(l/» 7 )/n)-i 



9 Note that the original definition includes a security error e, which in our case is e = 0. 
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Proof. The proof of correctness of the protocol, and security against dishonest Alice is identical to [37] and does not 
lead to any error terms. 

For the security against dishonest Bob, it is convenient to imagine a purification of the protocol, in which Alice 
prepares n EPR pairs &%>q/ where she sends Q to Bob and later measures her n qubits A n in randomly chosen 
BB84 bases. Bob's general attack is illustrated in Figure 3. We use the uncertainty relation in Equation (28), with 

E = BMQ n on pA n BMe™- In order to do that, we first derive a lower bound on h min = Hmi "^ ^ MB — . Note that 
because 6™ is independent of A n BM, we have E min (A n \BMQ n ) p = U min {A n \BM) p . We now use Condition (35) to 
obtain a lower bound on H m i n (A n \BM). 
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FIG. 3: An attack of dishonest Bob is described by an encoding attack £ and a guessing attack because for classical X n the min- 
entropy H m i n (X"|BMO n ) is directly related to the probability that Bob guesses X". The uncertainty relation of (32) is going to 
allow us to relate this guessing probability to how well a decoding attack T> can preserve entanglement between Alice and Bob, 
where V acts on BM. 



In fact, we use an operational interpretation of the conditional min-entropy due to [36]: 

K miu (A n \BM) p = -\oz\A n \ max F{*% An , \d A n A(p A n BM )) 2 , (36) 

A-BM—>A n 

where <I>^„^„ is the normalized maximally entangled state across A n A n . That is, the min-entropy is directly related 
to the "amount" of entanglement between A n and BM. The map A in (36) can be understood as a decoding attack 
T) aiming to restore entanglement with Alice. 

Further, note that the expression in (36) is the same as 

maxF klv. <8> [V o {F id M ) o £] ($1„ Q )) = m&xF c {V o (F id M ) o 8) . (37) 

By the assumption on the storage device J- , we obtain that for any encoding £ and decoding T> attack of Bob 

R min (A n \BM) p > - log 2 n F c (Vo (F®Jd M ) of) 2 
>-(n-Iog(l/»j)). 

Then, using the uncertainty relation of (28), we obtain 

H mhl (X n \BMe n ) P > \ (n 7 (-1 + log(l/?7)/n) - 1) , 
which proves the desired result. □ 



2. Special case: bounded storage model 



The next theorem simply states the result in the important special case of the bounded storage model. 

Theorem 15 (WSE in the bounded storage model). If Alice has q qubits of quantum memory then the protocol described in 
the previous section implements (n, X)-WSE with A = \ (7(— q/ri) — i). 
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Proof. The proof is the same as Theorem 14, but we can now directly obtain a lower bound on H 2 (i n |BA/) p ^ — q 
using Lemma 23. By (27), we have 

R min (X n \BMQ n ) p > I(n 7 (-«/n) - 1). 

□ 

Previously, in this case, security was only proven when q < ^ [42] with a variant of this protocol that uses a 
six-state encoding. Using the estimate in Claim 24, the previous theorem shows that q < n — c log 2 n for some large 
enough c would be sufficient to perform WSE securely. Using the construction of [37], this leads to a secure bit 
commitment provided q < n — clog 2 n — clognlog(l/e) for some large enough constant c and where e is the failure 
probability. 

V. CONCLUSION 

We have determined a bound on how the min-entropy changes when A is transformed to A4(A) for a certain 
general class of processes A4 . Our results on entanglement sampling, as well as uncertainty relations with respect to 
quantum side information then follow naturally for different choices of A4 . Our results on entanglement sampling 
have in fact already found applications in the context of studying properties of random quantum circuits [13]. 

One important aspect of our results compared to previous works on uncertainty relations and quantum random 
access codes is to give nontrivial bounds for all the range of possible min-entropy of the input. However, for some 
specific ranges of the input entropy, other techniques lead to better rates. It would be interesting to see if it is possible 
to combine our techniques with ideas from previous work such as [11] for uncertainty relations or [6] for random 
access codes to obtain tight bounds. It is likely that other interesting statements can be made using Theorem 1 for 
different maps, and it is an interesting open question to extend our results to more general maps. 

Acknowledgments 

We thank Oleg Szehr, Marco Tomamichel and Thomas Vidick for useful discussions. OF is supported by the 
European Research Council grant No. 258932. SW thanks ETH Zurich for their hospitality. SW is supported by the 
National Research Foundation and the Ministry of Education, Singapore. FD acknowledges support from the Danish 
National Research Foundation and The National Science Foundation of China (under the grant 61061130540) for the 
Sino-Danish Center for the Theory of Interactive Computation, within which part of this work was performed; and 
also from the CFEM research center (supported by the Danish Strategic Research Council) within which part of this 
work was performed. 



[1] A. Abeyesinghe, I. Devetak, P. Hayden, and A. Winter. The mother of all protocols: Restructuring quantum information's 

family tree. Proceedings of Royal Society A, 465:2537, 2009. arXiv:quant-ph/0606225. 
[2] A. Ambainis, A. Nayak, A. Ta-Shma, and U. Vazirani. Dense quantum coding and quantum finite automata. /. ACM, 

49(4):496-511, 2002. arXiv:quant-ph/9804043. 
[3] S. Bandyopadhyay P. Boykin, V. Roychowdhury, and F. Vatan. A new proof for the existence of mutually unbiased bases. 

Algorithmica, 34(4):512-528, 2002. arXiv:quant-ph/0103162. 
[4] H. Barnum and E. Knill. Reversing quantum dynamics with near-optimal quantum and classical fidelity. /. Math. Phys., 

43:2097,2002. 

[5] H. Barnum, E. Knill, and M. A. Nielsen. On quantum fidelities and channel capacities. IEEE Trans. Inform. Theory, 46:1317- 

1329, 2000. arXiv:quant-ph/9809010. 
[6] A. Ben-Aroya, O. Regev, and R. de Wolf. A hypercontractive inequality for matrix-valued functions with applications to 

quantum computing and LDCs. In Proc. IEEE FOCS, 2008. arXiv:0705.3806. 
[7] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proc. International 

Conference on Computers, Systems and Signal Processing, 1984. 
[8] M. Berta, F. Brandao, M. Christandl, and S. Wehner. Entanglement cost of quantum channels. arXiv:1108.5357, 2011. 
[9] M. Berta, M. Christandl, R. Colbeck, ]. M. Renes, and R. Renner. The uncertainty principle in the presence of quantum 

memory. Nat. Phys., 6:659, 2010. arXiv:0909.0950. 
[10] M. Berta, P. Coles, and S. Wehner. An equality between entanglement and uncertainty. 2013. arXiv:1302.5902. 



23 



[11] M. Berta, O. Fawzi, and S. Wehner. Quantum to classical randomness extractors. In Proc. CRYPTO, volume 7417 of LNCS, 
pages 776-793. Springer Verlag, 2012. arXiv:1111.2026. 

[12] Niek J. Bouman, Serge Fehr, Carlos Gonzalez-Guillen, and Christian Schaffner. An all-but-one entropic uncertainty relation, 
and application to password-based identification. In Kazuo Iwama, Yasuhito Kawano, and Mio Murao, editors, Theory 
of Quantum Computation, Communication, and Cryptography, volume 7582 of Lecture Notes in Computer Science, pages 29-44. 
Springer Berlin Heidelberg, 2013. arXiv:1105.6212. 

[13] W. Brown and O. Fawzi. Decoupling with small-depth random quantum circuits. 2013. in preparation. 

[14] H. Buhrman, M. Christandl, P. Hayden, H. K. Lo, and S. Wehner. Possibility, impossibility, and cheat sensitivity of quantum- 
bit string commitment. Phys. Rev. A, 78(2):22316, 2008. arXiv:quant-ph/0504078. 

[15] H. Buhrman, M. Christandl, and C. Schaffner. Complete insecurity of quantum protocols for classical two-party computation. 
Phys. Rev. Lett., 109:160501, 2012. arXiv: 120 1.0849. 

[16] C. Cachin and U. M. Maurer. Unconditional security against memory-bounded adversaries. In Proc. CRYPTO, volume 1294 
of LNCS, pages 292-306, 1997. 

[17] H.F. Chau and H-K. Lo. Making an empty promise with a quantum computer. Fortschritte der Physik, 46:507-520, 1998. Re- 
published in 'Quantum Computing, where do we want to go tomorrow?' edited by S. Braunstein, arXiv:quant-ph/9709053. 

[18] I. Damgard, S. Fehr, R. Renner, L. Salvail, and C. Schaffner. A tight high-order entropic quantum uncertainty relation with 
applications. In Proc. CRYPTO, volume 4622 of LNCS, pages 360-378. 2007. arXiv:quant-ph/0612014. 

[19] I. Damgard, S. Fehr, L. Salvail, and C. Schaffner. Cryptography in the bounded quantum-storage model. In Proc. IEEE FOCS, 
pages 449-458, 2005. arXiv:quant-ph/0508222. 

[20] I. Damgard, S. Fehr, L. Salvail, and C. Schaffner. Secure identification and QKD in the bounded-quantum-storage model. In 
Proc. CRYPTO, Springer Lecture Notes in Computer Science, pages 342-359, 2007. arXiv:0708.2557. 

[21] G. D'Ariano, D. Kretschmann, D. Schlingemann, and R.F. Werner. Quantum bit commitment revisited: the possible and the 
impossible. Phys. Rev. A, 76:032328, 2007. arXiv:quant-ph/0605224. 

[22] L. del Rio, J. Aberg, R. Renner, O. Dahlsten, and V. Vedral. The thermodynamic meaning of negative entropy. Nature, 
474:61-64,2011. 

[23] L. del Rio, A. Hutter, R. Renner, and S. Wehner. Relative thermalization. In preparation, 2013. 

[24] F. Dupuis. The decoupling approach to quantum information theory. PhD thesis, Universite de Montreal, 2010. arXiv:1004.1641. 
[25] F. Dupuis, M. Berta, J. Wullschleger, and R. Renner. One-shot decoupling. 2010. arXiv:1012.6044. 

[26] S. Dziembowski and U. Maurer. On generating the initial key in the bounded-storage model. In Proc. EUROCRYPT, volume 

3027 of LNCS, pages 126-137, 2004. 
[27] V. Guruswami. Introduction to Coding Theory, course notes. 2010. 

[28] P. Hausladen and W. Wootters. A pretty good measurement for distinguishing quantum states. /. Mod. Optic, 41(12):2385- 
2390,1994. 

[29] M. Hayashi. Quantum information. Springer, 2006. 

[30] P. Hayden, M. Horodecki, J. Yard, and A. Winter. A decoupling approach to the quantum capacity. Open Systems and 

Information Dynamics, 15:7-19, 2008. arXiv:quant-ph/0702005. 
[31] P. Hayden and J. Preskill. Black holes as mirrors: quantum information in random subsystems. /. High Energy Phys., page 

120, 2007. arXiv:0708.4025. 

[32] M. Horodecki, }. Oppenheim, and A. Winter. Quantum state merging and negative information. Comm. Math. Phys., 269:107, 

2006. arXiv:quant-ph/0512247vl. 
[33] A. Hutter. Understanding Equipartition and Thermalization from Decoupling, 2011. 

[34] R. Impagliazzo, L. Levin, and M. Luby. Pseudo-random generation from one-way functions. In Proc. ACM STOC, pages 
12-24. ACM, 1989. 

[35] A. Klappenecker and M. Rotteler. Mutually unbiased bases are complex projective 2-designs. In Proc. IEEE ISIT, pages 

1740-1744, 2005. arXiv:quant-ph/0502031. 
[36] R. Konig, R. Renner, and C. Schaffner. The operational meaning of min- and max-entropy. IEEE Trans. Inform. Theory, 

55:4674-1681, 2009. arXiv:0807.1338. 
[37] R. Konig, S. Wehner, and J. Wullschleger. Unconditional security from noisy quantum storage. IEEE Trans. Inform. Theory, 

58(3):1962 -1984, 2012. arXiv:0906.1030. 
[38] R. Konig and R. Renner. Sampling of min-entropy relative to quantum knowledge. IEEE Trans. Inform. Theory, 57(7):4760 

-4787, 2011. arXiv:0712.4291. 

[39] N. Linden, S. Popescu, A.J. Short, and A. Winter. Quantum mechanical evolution towards thermal equilibrium. Phys. Rev. 
£., page 061103, 2009. 

[40] H-K. Lo. Insecurity of quantum secure computations. Phys. Rev. A, 56:1154, 1997. 

[41] H-K. Lo and H. F. Chau. Is quantum bit commitment really possible? Phys. Rev. Lett., 78:3410, 1997. 

[42] P. Mandayam and S. Wehner. Achieving the physical limits of the bounded-storage model. Phys. Rev. A, 83:022329, 2011. 
arXiv:1009.1596. 

[43] U. Maurer. Conditionally-perfect secrecy and a provably-secure randomized cipher. /. Cryptol., 5:53-66, 1992. 
[44] D. Mayers. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett., 78:3414-3417, 1997. 
[45] A. Nayak. Dense quantum coding and a lower bound for 1-way quantum automata. In Proc. ACM STOC, pages 369-377, 
1999. 

[46] N. Ng, S. Joshi, C. Chia, C. Kurtsiefer, and S. Wehner. Experimental implementation of bit commitment in the noisy-storage 

model. Nat. Comm., 3:1326, 2012. 
[47] N. Nisan and D. Zuckerman. Randomness is linear in space. /. Comput. Syst. Sci., 52(1):43 - 52, 1996. 



24 



[48] S. Popescu, A. J. Short, and A. Winter. Entanglement and the foundations of statistical mechanics. Nat. Phys., 2:754-758, 2006. 
[49] R. Prevedel, D. Hamel, R. Colbeck, K. Fisher, and K. Resch. Experimental investigation of the uncertainty principle in the 

presence of quantum memory and its application to witnessing entanglement. Nat. Phys., 7:757-761, 2011. 
[50] R. Renner. Security of quantum key distribution. Int. J. Quantum Inf., 6:1, 2008. arXiv:quant-ph/0512258. 
[51] C. Schaffner, B. Terhal, and S. Wehner. Robust cryptography in the noisy-quantum-storage model. Quantum Inf. Comput., 

9:11,2008. arXiv:0807.1333. 

[52] O. Szehr, E Dupuis, M. Tomamichel, and R. Renner. Decoupling with unitary almost two-designs. 2011. arXiv:1109.4348. 
[53] K. Temme and M. Kastoryano. Quantum logarithmic sobolev inequalities and rapid mixing. 2012. arXiv:1207.3261. 
[54] M. Tomamichel. A Framework for Non-Asymptotic Quantum Information Theory. PhD thesis, ETH Zurich, 2012. arXiv:1203.2142. 
[55] M. Tomamichel, R. Colbeck, and R. Renner. A fully quantum asymptotic equipartition property. IEEE Trans. Inform. Theory, 

55:5840-5847, 2009. arXiv:0811.1221. 
[56] M. Tomamichel, C.C.W. Lim, N. Gisin, and R. Renner. Tight finite-key analysis for quantum cryptography. Nat. Comm., 3:634, 

2012. 

[57] M. Tomamichel and R. Renner. Uncertainty relation for smooth entropies. Phys. Rev. Lett., 106(11):110506, 2011. 

arXiv:1009.2015. 
[58] S. Vadhan. Pseudorandomness. 

[59] S. Vadhan. Constructing locally computable extractors and cryptosystems in the bounded-storage model. /. Cryptoh, 17:43- 
77, 2004. 

[60] S. Wehner, C. Schaffner, and B. Terhal. Cryptography from noisy storage. Phys. Rev. Lett., 100:220502, 2008. arXiv:0711.2895. 
[61] S. Wehner and A. Winter. Entropic uncertainty relations— a survey. New ]. Phys., 12:025009, 2010. arXiv:0907.3704. 
[62] Michael Wolf. Quantum channels and operations, guided tour. 2012. 

[63] J. Wullschleger. Bitwise quantum min-entropy sampling and new lower bounds for random access codes. 2010. 
arXiv:1012.2291. 

[64] A. C.-C. Yao. Security of quantum protocols against coherent measurements. In Proc. ACM STOC, pages 67-75, 1995. 



Appendix A: Technical Lemmas 
Lemma 3. For any £ e {0, . . . , n} such that £ < ^p^-n where d 2 < n, we have 

Proof. It is convenient to study separately the case where £q ^ (n — k) and the case where £q > d ^ (n — k). 
More precisely, the following claim introduces the value fco that separates these two cases. 

Claim 16. There exists ko € {1, ... ,n} such that £ ^ ^r-{ n — &o + 1) such that 

1. for k < k , ( n - k ){<f -If^n- ("- fc )(d 2 - 1)*>, 

2- and E^„_ feQ r/°)(d 2 - 1)' = (rf 2 )"- fc0 < n ■ ( n ^°)(d 2 - !)*>. 
Proof. We have for £ ^ 1, 



(TAW 2 - l Y- x " 1 

Now define £ max (fc) to be the largest integer such that ^ max (&) < ^~w"i n — k + 1). In this case, we have for £ < 
f max (fc), (d 2 — 1) "~ fc ~ £+1 ^ l. As a result, we have that for a fixed k, the expression ( n 7 fc ) (d 2 — l) is increasing for 
£ < ^max(fc)- In addition, if £ > £ max (k), then £ > ^-^{n — k + 1) which means that for £ > £ m3X {k), the expression 
("7 fe )(d 2 -l)Ms decreasing. 

We choose fc to be the largest integer such that £$ ^ ^-gr-(n — ko + 1). Note that such a fco exists because we 

assumed £ ^ ^p^n. This means that £ > (n — k ) > (n — k + 1) — 1. This implies that £ = £ ma ^{k ) is the 

maximum of ( n ~ e k °) (d 2 — l) over £ e {0, . . . , n — ko}. Both points then follows from bounding the sum by n times 
the largest term. □ 
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As a result, we have for k < k , 



4 

-« -,^ (»-^)---(»-4-fc+i) 

UJ ( j n---(n-fc + l) " ' 



Note that for k = 1, the result simply follows from the fact that n— ^ — 1^1, which itself comes from our assumptions 

d 2 



^ ^772^ n and rf 2 < n. For k > 1, we can continue with 



£=0 

fe 



r ; ('^W-l)'"< 



For fc > fco, 



/ n — k 



^ n • 



4 



^(d 2 -i)^d- 2 ( fe - fe °) 



, 2 1 ^ n (n - 4) • • • (n - 4 - k + 1) ^ 1 



k—k 



--ur-"- ' ■ (A1) 

For fc > 1, we use the fact that 4 < ^^r 1 ^ - + 1), which implies that ^ < "~iV +i +1 - T 1 ™ 8 ' 

£( n 7 fc V 2 -i)^d 2(n - fe) 

<?=cA ' 

<„ M 2 i x/c (n-e )...(n-e -ko + 

W J n---(n-fc + l)(fe-M+i 

->>'"<"-« 

<n 2 [; ].,■■- II 



£ y V n 



For fc = 1, (Al) becomes 

ect)^- 1 ^"-!;:)^- 1 ) 



n — fc\ 2 « { n \ i ,2 \£n n ~ / 1 N 



V ' n W 2 



1^ 



^Ur 1} W 2 

using the assumption n > d 2 . □ 



Appendix B: Some useful properties of entropy measures 



Lemma 17. Let p AB e S^(AB). Then, R min {A\B) p < H 2 (A|S) p s? 2H min (A| J B) p + logd A . 
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Proof. The first inequality can be proven as follows: 



2 -H min (A|B) p = max Tr[E ABPAB ] 

Eab 'Eb —ids 



> Tr [(Ps 1/; 1 PabPb' a )pab\ 

= 2 -H 2 (.4|B) p ^ 

For the second inequality, we proceed as follows. By [36], there exists a CPTP map £b^a< with A' = A, such that 

H m i n (A|S) p = U min (A\A') £{p) . Letting p = £{p) and w A , = \Tf>A< I TrfVpI 7 ], we get 

2 -H min (A|B) p = 2 -H min (A|A')p 
< 2 -H min (A|A')p|„ 



-1/2,. 



,-1/2 



--1/4-. --1/4 

Pa' Paa'P a , 

— 1/4- — 1/4 

P A > Paa'Pa' 



A' PAA>U A , 

oc 

TrWpA'} 

= ^-^(AlAOpip Tr[yp>] 
s$ v/2-H 2 (A|B) p Tr[v/>>] 
sC ^d A 2-^( A \ B ^, 

and the lemma follows. □ 

Lemma 18. Let p X B € S^(XB) be a CQ state, and let a e S<^(B) be such that R irLin (X\B) p = K min (X\B) p \ a . Then 

B min (X\B) p sC H 2 (X\B) p < 2R min (X\B) p . 

Proof. The lower bound is a special case of Lemma 17. For the upper bound, from the operational interpretation of 
H m in, we get that there exists a measurement M b^x> such that H m i n (^|-B) P = H. m i n (X\X') M ( p y Using this, we get 
that 

2 -H min (X|B) p _ 2 -H min (X|A' )m(p) 

= E x ,2^ H " ,il,( - x ^ x ' =x '^ M ^ 
^ E^/2 _ 5 h 2( x I x '=^')m(p) 



sC ^E x ,2~ u ^ x \ x '= x ')m W 

= \J 2~ \ x ')m(p)\m( p ) 
<; y/2-Kz(X\B) p _ 

where the first inequality follows from an application of Cauchy-Schwarz, the second from the concavity of the 
square root, and the third from the monotonicity of H 2 under CPTP maps. The last equality is due to the following: 

E _ i2 -n 2 (x\x>=x') M(p) = J- Pr {X' = x'} Pr i x = x\X' = x'f 

X 1 x 

= Tr[((idx ® PxJ^pxx' (idx Px V 4 )) 2 ] 

_ 2 -H 2 (A'|X )m(p)\M(p) 



□ 



Lemma 19. Let p AB e S^(AB). Then, H 2 (,4|B) P W min (A\B) p + log ■ 



This lemma is very similar to Theorem 7 in [55], but note that they use a slightly different definition of H 2 . The 
proof of this version of the lemma is, therefore, very similar to theirs. 
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Proof. First, note that R £ min (A\B) p > W min {A\B) p]p . Let A = (p AB - 2-' li ^ < - A \ B ^\»id A p B )+ (where (•)+ denotes the 
nonnegative part of an operator). Let A > be such that W min (A\B) p \ p > - log A and e = \Jl Tr[A] (such a A exists 
by Lemma 15 of [55]). Furthermore, let P be the projector onto the support of A. We then have that 

Pp AB P> \P(id A ® PB )P 

{p PB p)- x i 2 p PAB p{pp B pr i i 2 > \p AB , 

where we have omitted the id^'s in the second line. Using this, we get that 

y - Tr[A] 

= Tv[P(p AB - Xid A p B )P] 
< Tv[Pp AB P] 

SC A" 1 TllPpABPiPpBPy^PpABPiPpBP)- 1 / 2 } 

/ \~ 1 2- D2 ( ,9A - B " id - 4 ® p - B - ) 

^ 2 R e Iain (A\B) l> -K 2 (A\B)^ 

where D 2 is defined in Definition 20 and the last inequality is due to Theorem 21. □ 
Definition 20. Let D 2 (X\\Y) be defined as 

2 d 2 (x\\y) ._ Tr[(r" 1 / 4 xr _1/4 ) 2 ]. 

Theorem 21. D 2 (£(X)\\£(Y)) ^ D 2 (X\\Y) for any CPTP map £. 

Proof. Consider the map (L, R) i-> LRr 1 / 2 L Br 1 !" 1 . Theorem 5.14 in [62] shows that it is jointly operator convex, 
by taking g(R) = i? 1/2 (i? 1/2 ) T (which is operator concave by [62, Corollary 5.5, point 1]), h(L) = L id, f(x) = x 2 . 
This entails that (L, R) i-> Tr^ 1 / 2 LR- 1 / 2 L] is also jointly operator convex, via the fact that 

Tr[ir 1/2 Lir 1/2 L] = Tr[$(Lir 1/2 L (iT 1/2 ) T )]. 
We now invoke Theorem 5.16 from [62] on this functional to conclude the proof. □ 

, 2' 



Defining E 2 (A\B) p{a naturally as R 2 (A\B) p{r7 = Tr 



( -1/4 -1/4 V 

\a B p AB a B j 



, we obtain the following corollary. 



Corollary 22. Let p AB e S<^(AB) and a B € S<^(B) such that p B is in the support of a B . Then, for any CPTP map £ B ^c, 
we have that YL 2 (A\B) p \ a ^ H 2 (A\C) £{p) \ £{cj) . 

Lemma 23. Suppose p e S(AQC) is such that the C system is classical, i.e., p A Qc = J2 c P( c )\ c )( c \®PAQf or some probability 
distribution p and orthogonal vectors {|c)} c in C. Then 

U 2 (A\QC) P = -log^p(c)2- H2(A|Q)pC . 



In particular R 2 (A\QC) > — log \ Q\. 
Proof. We have 



Tr 



(id A ® Pq^p A q C \&a ® Pqc*) 



= Tr 



idA ($>(c)|c)<c| p Q r 1/4 ^Mc)|c>(c| P C AQ id A (J2p(c)\c)(c\ p Q f 



1/4 



^Tr [(idA (p(c)p Q )- 1 / 4 p AQ id A (p(c)p^)- 1 / 4 

C 

J>(c)Tr [(idA (^)- 1 / 4 p$ 1Q idA (^)- 1/4 )^ 



V 
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To conclude the proof, we simply observe that Tr (icU (pq) 1 l 4 p A Q\& A <8> (pq) 1 / 4 ) 2 < Trfid^ Pq 1 Paq] = 
Tr[ P Q 1 p Q ] = \Q\. □ 

The following claim gives a bound on the function 7 from Theorem 10 for small values of h 2 - 
Claim 24. Write h 2 = -1 + x with x ^ 1/3, then we have 

7(-l + z) ^ 



101og(l/a;)' 

Proof. Recall that 7 is the inverse of g(x) = h(x) + x — 1. We have 



101og(l/x)7 V 101 ^ 1 /^)/ 101og(l/x) 

< 2 . X - lor 1010 ^ 1 ^ I * 1 

" 101og(l/a;) 8 x 101og(l/x) 

^ 51og(l/x) (kgl° + kgl°g(VaO+l°g(Vs) + ^) -1 
< a; - 1, 

which proves the desired result. □ 
Lemma 25. Let a fee a positive integer. We have for any I ^ 

fc=0 ^ ' 

Proof. See for example [27], Lemma 5. □ 

Appendix C: Operational interpretation of H2 

When X is classical, then it is already known [14] that 

H 2 (X\E) = -]ogP™ M (X\E), 

where -Pguoss ls tne guessing probability using the pretty good measurement which performs very well [28]. For 
completeness, we here include the arguments of [10] regarding the operational interpretation of H 2 for quantum 
information A. Like the min-entropy, it is a natural measure of the entanglement between A and B in that H 2 (A\B) = 
- log[\ A\Fps(A\B) 2 } with 

F™(A\B) = F^ aa ,Ma®^Apab)) , (CI) 

and A^ A , is the pretty good recovery map [4]. To see this, we note that the pretty good recovery map can be written 
as 

a^(0-^-4^(p b 1/2 (-W /2 ) , 

where £%_^ A , denotes the adjoint of the Choi-Jamiolkowski map of p AB , 

Sa^b(-) = \A\ ■ Tr A [((-) T ® id B ) p AB ] . 

Putting this in (4) we arrive at (CI). The map A^^, is pretty good in the sense that it is close to optimal for 
recovering the maximally entangled state, i.e., the following bound holds [4] 

F 2 (A\B) sc F ps (A\B) sc F(A\B) , 

where F(A\B) is the fidelity achievable by the optimal map given in (1). 



